I've decided to consolidate various tips, tricks, and random config info into a thread. Hopefully someone will find it useful.
The original thread can be found here:
https://forums.freenas.org/index.php?threads/cifs-smb-samba-tips-and-tricks.34995/
Please discuss this Resource in the linked thread.
Access based share enumeration in SMB
If you configure your share as I highlight below, then the share will only be visible to users who have read or write access to the share during share enumeration (for example net view \\freenas). This how-to is for AD member servers, but the steps can be modified to accommodate standalone samba servers.
Step 1:
In windows, right-click "Computer Management" and click "Run as Administrator". Enter admin credentials, then right-click on your computer in the left pane and click "Connect to another computer". Enter the address of your FreeNAS server.
Step 2:
In Computer Management, expand "System" -> "Shared Folders" -> "Shares" and right click on the share for which you want to configure Access Based Share Enumeration, and click on Properties.
Step 3:
In the Properties window, click on "Share Permissions". Add the groups that need access to the share and remove the "Everyone" entry. Click "Apply" then "OK". Close computer management.
Step 4:
Open the FreeNAS web GUI and add the following auxiliary parameter to your SMB share: "access based share enum=yes"
Done.
Steps (1) - (3) can be achieved locally on a FreeNAS server through the "sharesec" command-line utility. Its manpage can be found here: https://www.samba.org/samba/docs/man/manpages/sharesec.1.html. Using it requires knowing the SIDs of groups that you want to add / modify.
Hide a share from all users
Method 1:
Uncheck the box "Browsable to Network Clients" in your share's configuration.
Method 2:
Append a "$" to the your share's name.
Finding out who has a file open and then closing it
Periodically, someone will approach me and say "someone has file x" open. There are several methods to view open files.
Method 1 - Computer Management in Windows Client.
Step 1 - In windows, right-click "Computer Management" and click "Run as Administrator". Enter admin credentials, then right-click on your computer in the left pane and click "Connect to another computer". Enter the address of your FreeNAS server.
Step 2 - In Computer Management, expand "System Tools" -> "Shared Folders" -> "Open Files"
Step 3 - Find the file you want to close, right-click on it, and click "Close Open File"
Method 2 - Locally in FreeNAS
Step 1 - Type
Step 2 - Note the Pid of the samba session that has the file open.
Step 3 - Type
Adjust NT Share Permissions through "sharesec" in the CLI
Permissions set on shared directories are called share permissions, and they determine who can use shared directories over the network, and in what manner. These are the only access control method available for shared directories on FAT volumes on Windows servers, and in the Windows world are generally recommended only for shares on filesystems that lack ACL support.
In Samba, Share Permissions are handled through the share_info.tdb file and function independently of file system permissions. The share-level permissions as defined here only represent the maximum level of access a user or group has in a share. These can provide a relatively simple and intuitive way to manage access control in situations where managing access control through NTFS / ZFS ACLs is impractical or undesirable. In the absence of specific restrictions, the default setting in Samba is to allow the global user Everyone - Full Control (full control, change and read).
Share Permissions can be modified locally on the FreeNAS server by using the command line utility sharesec, which is a part of the Samba Suite. An administrator will need to view the idmap entries on the local FreeNAS servers to determine the appropriate SID value for the user / group to which he or she wishes to grant access. A sample command to add full access for SID S-1-5-21-1866488690-1365729215-3963860297-17724 on the share "test" is as follows:
The Share-level ACL can be viewed locally from the command line on a FreeNAS server by entering the command
Alternatively, you can view all ACLs by typing the command
Samba 4.7+ (FreeNAS 11.1)
add auxiliary parameter
Advice regarding directories with lots of files is based on information provided by JRA here: http://marc.info/?l=samba&m=139336252926228&w=2
The original thread can be found here:
https://forums.freenas.org/index.php?threads/cifs-smb-samba-tips-and-tricks.34995/
Please discuss this Resource in the linked thread.
Access based share enumeration in SMB
If you configure your share as I highlight below, then the share will only be visible to users who have read or write access to the share during share enumeration (for example net view \\freenas). This how-to is for AD member servers, but the steps can be modified to accommodate standalone samba servers.
Step 1:
In windows, right-click "Computer Management" and click "Run as Administrator". Enter admin credentials, then right-click on your computer in the left pane and click "Connect to another computer". Enter the address of your FreeNAS server.
Step 2:
In Computer Management, expand "System" -> "Shared Folders" -> "Shares" and right click on the share for which you want to configure Access Based Share Enumeration, and click on Properties.
Step 3:
In the Properties window, click on "Share Permissions". Add the groups that need access to the share and remove the "Everyone" entry. Click "Apply" then "OK". Close computer management.
Step 4:
Open the FreeNAS web GUI and add the following auxiliary parameter to your SMB share: "access based share enum=yes"
Done.
Steps (1) - (3) can be achieved locally on a FreeNAS server through the "sharesec" command-line utility. Its manpage can be found here: https://www.samba.org/samba/docs/man/manpages/sharesec.1.html. Using it requires knowing the SIDs of groups that you want to add / modify.
Note: Steps (1)-(3) edit Windows NT ACLs, which are stored in samba's share_info.tdb, which is not affected by your choice of "Unix" or "Windows permissions type".
Hide a share from all users
Method 1:
Uncheck the box "Browsable to Network Clients" in your share's configuration.
Method 2:
Append a "$" to the your share's name.
Note: I have found Method 2 to be somewhat more reliable.
Finding out who has a file open and then closing it
Periodically, someone will approach me and say "someone has file x" open. There are several methods to view open files.
Method 1 - Computer Management in Windows Client.
Step 1 - In windows, right-click "Computer Management" and click "Run as Administrator". Enter admin credentials, then right-click on your computer in the left pane and click "Connect to another computer". Enter the address of your FreeNAS server.
Step 2 - In Computer Management, expand "System Tools" -> "Shared Folders" -> "Open Files"
Step 3 - Find the file you want to close, right-click on it, and click "Close Open File"
Method 2 - Locally in FreeNAS
Step 1 - Type
smbstatus -L
in CLI of FreeNASStep 2 - Note the Pid of the samba session that has the file open.
Step 3 - Type
pkill <Pid>
in FreeNAS CLI.Note: Method 2 will kill the entire samba session of the user who has the file open, which may end up making you very unpopular.
Adjust NT Share Permissions through "sharesec" in the CLI
Permissions set on shared directories are called share permissions, and they determine who can use shared directories over the network, and in what manner. These are the only access control method available for shared directories on FAT volumes on Windows servers, and in the Windows world are generally recommended only for shares on filesystems that lack ACL support.
In Samba, Share Permissions are handled through the share_info.tdb file and function independently of file system permissions. The share-level permissions as defined here only represent the maximum level of access a user or group has in a share. These can provide a relatively simple and intuitive way to manage access control in situations where managing access control through NTFS / ZFS ACLs is impractical or undesirable. In the absence of specific restrictions, the default setting in Samba is to allow the global user Everyone - Full Control (full control, change and read).
Share Permissions can be modified locally on the FreeNAS server by using the command line utility sharesec, which is a part of the Samba Suite. An administrator will need to view the idmap entries on the local FreeNAS servers to determine the appropriate SID value for the user / group to which he or she wishes to grant access. A sample command to add full access for SID S-1-5-21-1866488690-1365729215-3963860297-17724 on the share "test" is as follows:
sharesec test -a S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0/FULL
.The Share-level ACL can be viewed locally from the command line on a FreeNAS server by entering the command
sharesec share -v
. For instance, if a FreeNAS server has the share test, the ACL on test can be viewed through the command sharesec test -v
. Sample output from this command is as follows:Code:
[root@rivendell] ~#sharesec test -v REVISION:1 CONTROL:SR|DP OWNER: GROUP: ACL:S-1-1-0:ALLOWED/0x0/FULL
Alternatively, you can view all ACLs by typing the command
sharesec --view-all
Samba 4.7+ (FreeNAS 11.1)
add auxiliary parameter
mangled names = illegal
Advice regarding directories with lots of files is based on information provided by JRA here: http://marc.info/?l=samba&m=139336252926228&w=2